the-binary - Command 12 - Initiate DNS query flood


This command causes the agent to initiate a DNS query flood aimed at a specific DNS server.  By using a non-random source IP it is also possible to flood a specific target with DNS responses at the same time.


A handler sends the following command to initiate a DNS query flood  (xxx = don't care):
2 xxx xxx 12
destination ip
source ip
padding for a minimum packet size
of 201 bytes including the IP header
NOTE: the shaded bytes must be encoded prior to transmission to the agent.


destination IP:
The IP address of the DNS server that is to be flooded. This field is in network byte order. If nameFlag is non-zero, this field will be ignored.  See description of nameFlag and name parameters below.
source IP:
The source IP to be spoofed.  All DNS responses will be sent to this host.  If is specified, a random source address will be generated for each DNS query.  This field is in network byte order.
count: int range 0-255
This parameter's purpose is to set the time between calls to gethostbyname when a DNS server is being targeted by name rather than IP.  A lookup is performed following every 40000 * count packets.  A count of zero is equivalent to a count of 1. HOWEVER, as with commands 4 and 9, the author's improper nesting of loops prevents this parameter from having any useful effect.
The spoofed source port from which the DNS request appears to originate.  If both of these are zero, then the source port is randomized for every request.
nameFlag: boolean
If non-zero, ignore the destination IP and instead do a gethostbyname lookup on the hostname specified in the name parameter.  If a name lookup fails, the flood process will sleep for 10 minutes before attempting another lookup.  The flood process will loop indefinitely until a successful lookup occurs at which point the process will commence flooding the named host.  Unlike the use of this parameter command 10, it is unlikely that the host name will ever be rechecked. because of poor programming on the part of the author.
name: char*
Useful only if nameFlag is non-zero.  This parameter contains the null terminated host name of the host to be targeted by this flood.


The agent sends no response to this message.  It simply initiates a DNS query flooding service aimed at the destination IP/name as specified by the nameFlag parameter.  The behavior of this flooding process is described below.

The binary contains 9 canned DNS queries (".com", ".net", ".de", ".edu", ".org", "", ".es", ".gr", ".ie").  The algorithm for this service is specified below

   repeat forever
      for each of the query types
         send a query to the target DNS server
Generated DNS query packets display the following attributes: